France to Require Quantum-Safe Standards for ANSSI Cybersecurity Certification

Quantum-safe regulations and legislation are still relatively few and far between, but momentum has started to pick up as major industry players have shortened the expected timeline until “Q-Day” arrives. The latest development comes from France, which will require that products demonstrate adoption of quantum-era standards to receive the ANSSI cybersecurity certification.

The news was delivered at the France Quantum conference, where the news about quantum-safe readiness was a mixed bag. Attendees reported a definite increased interest in quantum-ready security products, and projections for the market over the next 10 years are very optimistic. But at the moment, organizations are generally still struggling with readiness to include even forming their initial plans and roadmaps for an issue that might become real in as little as three or four years.

Quantum-safe requirements still slow in coming as Google predicts trouble in 2029

The ANSSI certification is not required for most products, but it is a requirement for those used by the French government and critical infrastructure companies. These products will need to be quantum-safe starting in 2027. While no further requirements have been announced, ANSSI chief of staff Samih Souissi did add that the agency would like to see all products meet the same standard by 2030.

“Q-Day” is the day on which a quantum computer proves capable and stable enough to defeat a currently-used encryption standard in a trivial amount of time, but industry experts believe it will not be a case of the first computer of this sort being able to break all encryption immediately. More likely a single standard will be focused on, with many believing Elliptic Curve Digital Signature Algorithm (ECDSA) will be the first to be heavily targeted and fall.

Of course any encrypted data stolen now could be cracked later, regardless of how this timeline plays out. So there is already substantial pressure to move to quantum-safe, but this has yet to translate into much in the way of government pressure. The US and EU Commission have adopted some similar rules, but as with the ANSSI proposal they are largely not in effect as of yet and target a limited section of government and industry.

Organizations are also keenly aware of the problem, but there tend to be a lot of obstacles in the form of compatibility and legacy systems. There has also not been a lot of time since any kind of industry standard quantum-safe options were settled on, with NIST just making the first move in August 2024.

Is quantum readiness moving fast enough?

For a long time now, the quantum threat has always been “about 10 years off.” That may have caused some to relax and stop taking it seriously. Google’s announcement that the company intends to make itself internally ready by 2029 was something of a wake-up call, but there are still many that believe quantum-safe won’t be a complete necessity until around 2035.

What is certain at this point is that NIST intends to deprecate current encryption by 2030, and while no one has a crystal ball that seems to be the final warning line for readiness. However, being ready by 2030 would mean organizations that are still struggling with a plan need to begin actually acting within the next few months. The first step for most will be an inventory of all cryptography currently in use that will need to be replaced with something quantum-safe. This is also a good prompt to review zero-trust implementations and the storage of encrypted and sensitive data that might be exfiltrated before these plans can be seen all the way through.

However, there is also still a strong “hurry up and wait” element at this point; quantum readiness relies to a great degree on vendors and software developers making their own moves with their products.